Introduction
Today’s post is about changing the SSL Certificate of an Application Gateway. Why a post about this? Isn’t it a more upload button… You would think so. When creating the listener, it’s a nice & easy UI. Though I guess someone forgot the renew flow. 😉 This is the screen when you take a look at the HTTP listener. We see the certificate, but no way to edit this part…
So we’ll have to do this manually, via powershell!
Updating the Certificate
First get your application gateway ;
And find your certificate ;
Next up ; Delete it…
Add the certificate ; 
And save the configuration
And that was it! (bare in mind, the last step takes a while)
The Code
$agw = Get-AzureRmApplicationGateway -Name myname Remove-AzureRmApplicationGatewaySslCertificate -Name my.domain.tld -ApplicationGateway $agw Add-AzureRmApplicationGatewaySslCertificate -Name "my.domain.tld" -CertificateFile .\path\to\my.domain.tld.pfx -Password "MyNotSoSecretPassword" -ApplicationGateway $agw Set-AzureRmApplicationGateway -ApplicationGateway $agw
Karim Vaes 
Nice post! :). Always a hassle changing out certificates, think of ADFS and WAP :).
Great post;
I encounter an issue while running the last command: Set-AzureRmApplicationGateway -ApplicationGateway $agw
I get:
Set-AzureRmApplicationGateway : Resource subscriptions/…/OldCert referenced by resource /subscriptions/…/CurrentListener was not found. Please make sure that the referenced resource exists, and that both resources are in the
same region.
Any ideas why?
What’s the output of ; $agw (or when you “Get-AzureRmApplicationGateway -Name myname”)?
I’ve had no luck with this script. I’m sure it’s something I’m doing wrong. Also, you need to pass in -ResourceGroupName or it breaks.
Scratch that. The script IS working, but as mentioned earlier, you still need to pass in resource group name:
$agw = Get-AzureRmApplicationGateway -Name -ResourceGroupName
I had to add the new cert and commit it before removing the old one to get this to work correctly.
Am I the only one who can’t verify certificate deletion in portal? Seems only possible to verify in powershell?
Is it a passphrase protected certificate? If that’s the case, then I can concur on the sentiment. Best thing to do is open a support case for it, so that the attention rises towards the issue.
Sorin, I encountered the same error with you.
If you change the name of the certificate, the command doesn’t work! It outputs the error you mentioned.
That’s because in this case, the listener still has the old certificate name (it isn’t updated with the above commands).
So, the above commands work ONLY if you keep the same certificate name (you can find it in the portal, at ‘Listeners’).
it would be nice if someone finds the commands how to change the certificate name too.
Hi All,
thanks for the post, but how can I check if the certificate is about to expire? Is there a way to see this date?
Thought of mind ; retrieve the cert and check the date? https://docs.microsoft.com/en-us/powershell/module/azurerm.network/get-azurermapplicationgatewaysslcertificate?view=azurermps-5.5.0